CVE-2025-68051
Published: 20 February 2026
Summary
CVE-2025-68051 is a high-severity Authorization Bypass Through User-Controlled Key (CWE-639) vulnerability. Its CVSS base score is 7.5 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 15.1th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and SI-10 (Information Input Validation).
Deeper analysis
CVE-2025-68051 is an Authorization Bypass Through User-Controlled Key vulnerability (CWE-639) in the Shiprocket WordPress plugin. The flaw allows exploitation of incorrectly configured access control security levels and affects all versions from n/a through 2.0.8.
Remote unauthenticated attackers can exploit this vulnerability over the network with low complexity and no user interaction, as indicated by its CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N). Successful exploitation enables high-impact confidentiality breaches, such as unauthorized access to sensitive data, without impacting integrity or availability.
The Patchstack advisory describes this as an insecure direct object references (IDOR) vulnerability in the Shiprocket WordPress plugin up to version 2.0.8. Security practitioners should review the advisory at https://patchstack.com/database/Wordpress/Plugin/shiprocket/vulnerability/wordpress-shiprocket-plugin-2-0-8-insecure-direct-object-references-idor-vulnerability?_s_id=cve for detailed mitigation steps.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-208076
Vulnerability details
Authorization Bypass Through User-Controlled Key vulnerability in Shiprocket Shiprocket shiprocket allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Shiprocket: from n/a through <= 2.0.8.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Direct IDOR/authz bypass in public-facing WordPress plugin enables remote exploitation of an Internet-facing application for unauthorized data access.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
AC-3 enforces approved authorizations for access to information and resources, directly preventing authorization bypass via user-controlled keys in this IDOR vulnerability.
SI-10 requires validation of user-controlled information inputs, mitigating exploitation of insecure direct object references by ensuring keys map only to authorized objects.
CM-6 mandates secure configuration settings for system components, addressing the incorrectly configured access control security levels exploited in this CVE.